Search
Search Results (13 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-49940 | 1 Rrwo | 1 Net::cidr::set | 2026-06-05 | 6.5 Medium |
| Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks. | ||||
| CVE-2026-49941 | 1 Rrwo | 1 Net::cidr::set | 2026-06-05 | 7.5 High |
| Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service. | ||||
| CVE-2026-49942 | 1 Rrwo | 1 Net::cidr::set | 2026-06-05 | 7.3 High |
| Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable. | ||||
| CVE-2026-9658 | 1 Rrwo | 1 Plack::middleware::security::common | 2026-06-01 | 7.3 High |
| Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers. | ||||
| CVE-2026-46740 | 1 Rrwo | 1 Mojolicious::plugin::statsd | 2026-05-28 | 5.3 Medium |
| Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720). | ||||
| CVE-2026-47373 | 1 Rrwo | 1 Crypt::saltedhash | 2026-05-21 | 7.5 High |
| Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash. | ||||
| CVE-2026-47372 | 1 Rrwo | 1 Crypt::saltedhash | 2026-05-21 | 9.1 Critical |
| Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. | ||||
| CVE-2026-46719 | 1 Rrwo | 1 Net::statsd::lite | 2026-05-19 | 6.5 Medium |
| Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. | ||||
| CVE-2026-8788 | 1 Rrwo | 1 Net::statsd::lite | 2026-05-19 | 7.3 High |
| Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names. | ||||
| CVE-2026-46720 | 1 Rrwo | 1 Net::statsd::tiny | 2026-05-18 | 8.2 High |
| Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. | ||||
| CVE-2026-45180 | 1 Rrwo | 1 Catalyst::plugin::statsd | 2026-05-12 | 7.5 High |
| Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens. | ||||
| CVE-2026-45179 | 1 Rrwo | 1 Plack::middleware::statsd | 2026-05-12 | 5.3 Medium |
| Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead. | ||||
| CVE-2026-7040 | 1 Rrwo | 2 Text::minify::xs, Text\ | 2026-05-07 | 7.5 High |
| Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minify. | ||||
Page 1 of 1.